Re: Unbound in base, yes, what about ldns?

2014-03-24 Thread Dennis Davis 
On Sun, 23 Mar 2014, Chris Smith wrote:

 From: Chris Smith obsd_m...@chrissmith.org
 To: Stuart Henderson s...@spacehopper.org
 Cc: OpenBSD-Misc misc@openbsd.org
 Date: Sun, 23 Mar 2014 22:09:00
 Subject: Re: Unbound in base, yes, what about ldns?

...

 How about this line added to rc.conf.local when using the package:
  syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log

 Is it still needed or should it be removed?

Probably.  If you're running chrooted and logging to syslog, you
should still need this line.

See the manual page for unbound.conf.  A cursory reading indicates
it doesn't seem to have materially changed from the version in the
port/package.  *But* cursory reading has let me and others down
badly in the past :-(
-- 
Dennis Davis dennisda...@fastmail.fm

Re: Unbound in base, yes, what about ldns?

2014-03-23 Thread Chris Smith 
On Thu, Mar 20, 2014 at 7:39 PM, Stuart Henderson s...@spacehopper.org wrote:
 You can uninstall the package if you don't need it, or you can keep it
 if you do need it (for example, for drill or the ldns-* tools).

How about this line added to rc.conf.local when using the package:
 syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log

Is it still needed or should it be removed?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

2014-03-22 Thread Patrik Lundin 
On Fri, Mar 21, 2014 at 01:41:37PM +, Stuart Henderson wrote:
 
 Kind-of; things will work properly if the validator is enabled now, and it's
 less bad than having /var/unbound/etc writable, but would really prefer to not
 have anything at all in the chroot be writable by the unprivileged _unbound
 user. Privilege separation would be desirable for this.
 

Just out of curiosity: how come the shipped unbound.conf file mentions
the module-config: setting? It appears to me that validator iterator
is the default, or am i missing something?

Regards,
Patrik Lundin

Re: Unbound in base, yes, what about ldns?

2014-03-21 Thread Chris Smith 
On Wed, Mar 19, 2014 at 7:44 PM, Chris Smith obsd_m...@chrissmith.org wrote:
 See the thread unbound dnssec revisited I started on 12/30/2013 for
 some hints. Looks like creating a new directory with the proper
 permissions is the best way to go.

Now fixed in -current with a /var/unbound/db directory. Thanks Stuart!

Chris

Re: Unbound in base, yes, what about ldns?

2014-03-21 Thread Stuart Henderson 
On 2014/03/21 09:30, Chris Smith wrote:
 On Wed, Mar 19, 2014 at 7:44 PM, Chris Smith obsd_m...@chrissmith.org wrote:
  See the thread unbound dnssec revisited I started on 12/30/2013 for
  some hints. Looks like creating a new directory with the proper
  permissions is the best way to go.
 
 Now fixed in -current with a /var/unbound/db directory. Thanks Stuart!
 
 Chris

Kind-of; things will work properly if the validator is enabled now, and it's
less bad than having /var/unbound/etc writable, but would really prefer to not
have anything at all in the chroot be writable by the unprivileged _unbound
user. Privilege separation would be desirable for this.

Re: Unbound in base, yes, what about ldns?

2014-03-20 Thread Атанас Владимиров 
Thanks.


2014-03-20 1:44 GMT+02:00 Chris Smith obsd_m...@chrissmith.org:

 See the thread unbound dnssec revisited I started on 12/30/2013 for
 some hints. Looks like creating a new directory with the proper
 permissions is the best way to go.


 On Wed, Mar 19, 2014 at 7:01 PM, Àòàíàñ Âëàäèìèðîâ don.na...@gmail.com
 wrote:
  Hi,
  Sorry for Off-topic, but when you enable DNSSEC validation and fetch a
 root
  key with unbound-anchor(8) (needs root) the following error shows up in
  /var/log/messages:
 
  unbound: [0:0] error: could not open autotrust file for writing,
  /etc/root.key.29136-0: Permission denied
 
  May be this is because _unbound user has no rights to write to
  /var/unbound/etc/ after chroot.
  Am I correct? Any solutions?
 
  Best regards,
  Atanas

Re: Unbound in base, yes, what about ldns?

2014-03-20 Thread Stuart Henderson 
On 2014-03-19, Chris Smith obsd_m...@chrissmith.org wrote:
 On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback
kwesterb...@gmail.com wrote:
 The unbound in base has it's own cut down version of ldns. No need for
 the package.

 Can I just uninstall the package after the fact or do some files need
 to be replaced?

 Thanks,

 Chris



You can uninstall the package if you don't need it, or you can keep it
if you do need it (for example, for drill or the ldns-* tools).

Unbound in base, yes, what about ldns?

2014-03-19 Thread Chris Smith 
Great to see Unbound in base, thanks.

But what about ldns? I still have that installed as a package -
removed the unbound package as per the -current instructions, but
shouldn't the ldns package package be removed as well as I believe
unbound requires it and therefore it would have to be built by base as
well. Or am I off-base?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

2014-03-19 Thread Kenneth Westerback 
On 19 March 2014 18:09, Chris Smith obsd_m...@chrissmith.org wrote:
 Great to see Unbound in base, thanks.

 But what about ldns? I still have that installed as a package -
 removed the unbound package as per the -current instructions, but
 shouldn't the ldns package package be removed as well as I believe
 unbound requires it and therefore it would have to be built by base as
 well. Or am I off-base?

 Thanks,

 Chris


The unbound in base has it's own cut down version of ldns. No need for
the package.

... Ken

Re: Unbound in base, yes, what about ldns?

2014-03-19 Thread Chris Smith 
On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback
kwesterb...@gmail.com wrote:
 The unbound in base has it's own cut down version of ldns. No need for
 the package.

Can I just uninstall the package after the fact or do some files need
to be replaced?

Thanks,

Chris

Re: Unbound in base, yes, what about ldns?

2014-03-19 Thread Атанас Владимиров 
Hi,
Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root
key with unbound-anchor(8) (needs root) the following error shows up in
/var/log/messages:

unbound: [0:0] error: could not open autotrust file for writing,
/etc/root.key.29136-0: Permission denied

May be this is because _unbound user has no rights to write to
/var/unbound/etc/ after chroot.
Am I correct? Any solutions?

Best regards,
Atanas

Re: Unbound in base, yes, what about ldns?

2014-03-19 Thread Chris Smith 
See the thread unbound dnssec revisited I started on 12/30/2013 for
some hints. Looks like creating a new directory with the proper
permissions is the best way to go.


On Wed, Mar 19, 2014 at 7:01 PM, Атанас Владимиров don.na...@gmail.com wrote:
 Hi,
 Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root
 key with unbound-anchor(8) (needs root) the following error shows up in
 /var/log/messages:

 unbound: [0:0] error: could not open autotrust file for writing,
 /etc/root.key.29136-0: Permission denied

 May be this is because _unbound user has no rights to write to
 /var/unbound/etc/ after chroot.
 Am I correct? Any solutions?

 Best regards,
 Atanas